CONTROLLER FEED

Access to insight on over 3,000 active botnet command and control IPs using a single XML feed that contains all of our known botnet controllers, across all known protocols (HTTP, IRC, P2P, etc.)

Features

our most comprehensive view of C2

Full Domain, Hash, and DNS resource records

Near real-time identification

updated every 60 minutes

What is the Controller Feed ?

The Controller Feed contains all of our botnet controller data from the Botnet Analysis and Reporting System (BARS), a unique system that enables visibility into botnets that normally evade monitoring, plus other sources for our most comprehensive view of Command and Control (C2) for IRC-based, HTTP-based, and P2P-based botnets. This feed provides the full URL, malware hash, and DNS resource record of the controllers enabling you to cross reference, monitor, or block connections.

The full Controller Feed XML Schema is available and documented with entries varying based on the type of botnet and the insight we have been able to obtain. All times are UTC.

Our data allows for near real-time identification of botnet command and control (C&C) IP addresses (IRC, http, and P2P) built for DDoS, warez, and underground economy to include bot types, passwords, channels, and our insight.

Frequently Asked Questions

This feed has multiple timestamps for C2 (Command and Control Server) entries including generated, first_seen, first_active, came_up, went_down, last_checked. All follow the same time format in UTC of the form: YYYY-MM-DD HH:MM:SS

In addition to specific URL and DNSRR (DNS Resource Record) information for IRC, HTTP and other non-standard or unique controllers (popular with DDoS botnet families), the feed includes the appropriate SHA1/MD5 malware hashes responsible for infection. This represents a single piece of malware that has been observed to connect to this botnet and helps to trace, triage, and eradicate an internal infection.

We pool all the currently known C2 data into this feed from all our different feeds, including HTTP based botnets that we were unable to verify mechanically over the most recent 24 hour period, as they are no longer active for some reason. This serves as a great additional line of defense in the event that these botnets come back online as they occasionally do: there is no delay in reading them; you already have the protection.

As part of the XML schema for this report, each controller and bot has been assigned a “confidence” value, which is a range of 0-100, with 100 being the highest confidence rating. The data in this feed is derived from one or more methods. The confidence value entry depends on the method of collection and analysis. The intention is that partners determine what issues are most important to them and adapt their policy accordingly. At Team Cymru, we understand that no one can make that determination for you better than you. To facilitate that decision making capability we prefer to give you a confidence value to assist you. You may decide that some threats are important, and others are not. This score will help you along the way.